CVE-2019-16113

Name of the Vulnerable Software and Affected Versions Bludit version 3.9.2

Description The issue allows remote code execution via the "bl-kernel/ajax/upload-images.php" endpoint. This is possible because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

Recommendations For Bludit version 3.9.2, as a temporary workaround, consider restricting access to the "bl-kernel/ajax/upload-images.php" endpoint until a patch is available. Avoid allowing users to upload files with PHP code, especially with .jpg file names, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.